Learning from the MOVEit Transfer Hack: A Story of Cyber Threats and Resilience

Summer 2023, just as we were all settling back into some sense of normality, a silent menace was making its way through the world.

 

The MOVEit Transfer hack became one of the year’s most significant cyber incidents, impacting a significant number organisations. At ITogether we kept an eye on what unfolded—not because it’s a sensational headline, but because it holds valuable wash up lessons for all of us about staying secure.

 

It recently made the headlines again as, not only has a new critical flaw in its SFTP module that allows attackers to bypass authentication (https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806) just been identified but also, the Texas Dow Employees Credit Union (TDECU) have only just discovered (July 2024), that over 500,000 of its members had their personal information compromised due to a data breach involving the software last year.

 

MOVEit Transfer, developed by Progress Software (and integrated by several other vendors and websites). It quietly and reliably moves sensitive files from one place to another for businesses across the globe. It’s not flashy and doesn’t seek the spotlight. But in June 2023 a critical vulnerability, officially labelled CVE-2023-34362, was discovered. Now it was thrust into prominence for all the wrong reasons. In plain terms, this was a glaring security hole that nobody knew about—not the users, not the developers, not even the security experts. But the wrong people found it, and they were quick to exploit it.

 

The Unfolding of the Attack

The vulnerability at the heart of the MOVEit Transfer hack was CVE-2023-34362, a critical SQL injection flaw. This vulnerability allowed unauthenticated attackers to gain access to the back end database by sending specially crafted SQL statements through HTTP requests. Exploiting this flaw, attackers could potentially view, alter, or delete database entries, including sensitive information like customer data and authentication credentials. The vulnerability existed due to insufficient input validation in the front end web application, which failed to properly sanitise user-supplied data before using it in SQL queries.

 

The CL0P ransomware gang, a well-known group in cybercrime circles, identified this vulnerability and saw an opportunity. Imagine a burglar finding an unlocked back door in a row of houses—that’s effectively what happened here. They began by scanning the Internet for instances of MOVEit Transfer. Once inside, they deployed web shells—sneaky scripts that let them control the servers remotely, much like having a secret key to the building. These web shells were hidden in plain sight, often disguised with names and locations that made them hard to spot.

 

Could It Have Been Prevented?

Hindsight is a wonderful thing, isn’t it ? Whilst the vulnerability was a zero-day—meaning it was previously unknown and had no immediate fix—there are still lessons we can learn.

Firstly, regular updates and patches are crucial. Once Progress Software became aware of CVE-2023-34362 and CVE-2024-5806, they moved quickly to release a patch. Organisations that promptly applied this patches were able to close the door on the attackers.

Secondly, tools like App and API protection could have added an extra layer of defence. App and API protection can detect and block malicious traffic, including SQL injection attempts, by filtering out dangerous requests before they reach the origin server. For instance, Akamai’s App and API Protector is designed to protect web applications and API by inspecting incoming traffic and blocking malicious activity. By utilising Akamai’s App and API Protector, organisations can shield their applications from common web exploits and vulnerabilities—even those that are not yet known.

 

Akamai’s App and API protection leverages advanced threat intelligence and machine learning to identify suspicious patterns and behaviours. It operates at the edge of the network, providing protection closer to the source of potential attacks and reducing latency. This means that even if there’s a new vulnerability, the service can help prevent exploitation by blocking atypical requests that attempt to manipulate the application.

The adage “You get what you pay for” has never been more true. With Akamai, you have a partner with the technology, expertise, and commitment to safeguard your most sensitive applications while still achieving compliance. With today’s rising tide of cyberthreats taking aim, ask yourself: What is that worth?

 

Thirdly, network segmentation (Akamai Guardicore Segmentation) and the principle of least privilege can limit the damage if an attacker does get in. By restricting access rights and isolating sensitive systems, we make it harder for cybercriminals to move around.

 

The Human Element

While the technical details are important, we can’t overlook the human factor. Cybersecurity isn’t just about hardware and software—it’s about people. Training staff to recognise potential threats, (Knowbe4) encouraging a culture of vigilance, and having clear protocols in place can make a significant difference.

 

Bringing It Home

So, what does all this mean for us ? Well, it’s a reminder that cybersecurity is everyone’s responsibility. Whether you’re a large corporation or a small business, the principles remain the same.

 

At ITogether, we’re committed to helping our whole community navigate these challenges. We understand that the world of cybersecurity is daunting, filled with jargon like CVE numbers and SQL injections. But we’re here to demystify it, offering practical advice and solutions tailored to your needs. We don’t talk like a dalek.

 

How We Can Help

 

  •   Security Audits: We’ll assess your systems to identify vulnerabilities, including potential exposure to known CVEs like CVE-2023-34362.
  •   Advanced Security Solutions: From implementing App and API Protection like Akamai’s  Akamai’s App and API Protector to designing secure network architectures
  •   Employee Training: Empower your team with the knowledge to spot and prevent cyber threats and provide continuous re-enforcement. (Knowbe4)
  •   Incident Response Planning: Be prepared with a clear plan of action if the worst happens and be ready to communicate effectively.

 

A Story of Resilience and Collective Effort

 

The MOVEit Transfer hack is a story of challenges but also of resilience. It’s about recognising that while threats evolve, so do our defences. By staying informed, working together, and taking proactive steps, we can turn potential disasters into opportunities to strengthen our security.

 

As you read this, perhaps on your morning commute or during a quiet moment in the office, consider the digital footprints we all leave behind. Think about the steps you and your organisation are taking to protect your data. Are there gaps that need addressing? Are you confident in your defences? Have you tested them?

 

Let’s Continue the Conversation

Cybersecurity doesn’t have to be overwhelming.  To find out more about how we can help you navigate the cybersecurity landscape, contact us at hello@itogether.co.uk

0 Comments

Submit a Comment